GDPR & DORA: Navigating Compliance and Digital Resilience in the EU
As the regulatory landscape in the European Union continues to evolve, two key frameworks have emerged as central pillars of compliance for companies operating in the digital and financial services space: the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA).
While GDPR focuses on data protection and privacy, DORA introduces a comprehensive framework to ensure the digital operational resilience of financial entities. Together, they form a regulatory duo that companies—particularly those in fintech, banking, and ICT services—must navigate with care.
A. What is GDPR?
The General Data Protection Regulation (GDPR), in force since May 2018, is designed to protect the fundamental rights of individuals by safeguarding their personal data. It applies to all entities that process the personal data of EU residents, regardless of where the company is based.
Key principles include:
- Lawfulness, fairness, and transparency
- Data minimisation and purpose limitation
- Accountability and security of processing
- Rights of data subjects (access, rectification, erasure, etc.)
Non-compliance can lead to fines of up to €20 million or 4% of global annual turnover, whichever is higher.
B. What is DORA?
The Digital Operational Resilience Act (DORA), which entered into force in January 2023 and will apply from 17 January 2025, sets uniform requirements for the ICT risk management of financial entities in the EU. DORA applies to banks, investment firms, insurance companies, crypto-asset service providers, and even third-party ICT service providers.
DORA introduces obligations related to:
- ICT risk management frameworks
- Incident reporting and classification
- Digital operational resilience testing
- Management of third-party ICT service providers
- Information-sharing arrangements among financial entities
C. How Do GDPR and DORA Interact?
While GDPR and DORA serve different regulatory objectives, they intersect on several fronts:
- Data breaches: Both regulations require incident reporting. Under GDPR, breaches involving personal data must be notified to supervisory authorities within 72 hours. Under DORA, ICT-related incidents must be classified and reported through a structured framework. Dual compliance is critical.
- Third-party risk: Both frameworks impose obligations on vendor management. Under GDPR, data processors must provide adequate safeguards; under DORA, ICT service providers are subject to contractual, performance, and risk assessment controls.
- Data protection by design and resilience by design: GDPR promotes “privacy by design,” while DORA effectively calls for “resilience by design.” Companies must align their data governance and cybersecurity strategies to satisfy both standards.
D. Key Takeaway
Organisations should not treat GDPR and DORA as isolated compliance tasks. Instead, they should be seen as complementary frameworks that, when addressed together, enhance not only legal compliance but also digital trust and operational stability.
As the January 2025 DORA application date approaches, now is the time for companies—especially those in financial services—to revisit their GDPR compliance programs, map overlaps, and build a unified digital risk and data protection strategy.
E. How Our Law Firm Can Help
At Andria Papageorgiou Law Firm, we offer tailored legal and compliance support to help your organisation meet its obligations under both GDPR and DORA, ensuring a streamlined and strategic approach to data protection and digital resilience.
Here’s how we can assist:
✅ GDPR Compliance Services
- Drafting and reviewing privacy policies, consent forms, and data processing agreements
- Advising on lawful bases for processing and international data transfers
- Structuring internal policies for data subject rights and breach notification
- Conducting data protection impact assessments (DPIAs)
✅ DORA Readiness Support
- Gap analysis against DORA requirements for financial and ICT entities
- Assistance in setting up incident response and reporting frameworks
- Legal review of ICT service provider contracts in line with outsourcing obligations
- Advisory on operational resilience governance and board-level responsibilities
✅ Integrated Compliance Strategy
We understand the overlap between DORA and GDPR and help you create an integrated compliance framework that meets both legal and operational standards — reducing regulatory risk and enhancing business continuity.
Whether you’re a fintech startup, a regulated investment firm, or an ICT service provider, our team can provide practical, business-minded legal solutions to help you stay ahead of regulatory expectations.
In case you have any questions, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
